Anti-Spam

Cryptolocker is one of the most notorious attacks we’ve seen in a while, one which definitely would ruin someone’s day, or in this case holiday spirit. As of December 16 6:53AM PST, Barracuda Real-Time Systems have intercepted and blocked a new version which has a 1 out of 54 detection rate according to VirusTotal.

The attack comes as an email disguised as the State Debt and Recovery office in Australia. It uses a common fear tactic describing that a camera has caught the recipient speeding and must now pay a fine in order to avoid suspension of driver’s license or vehicle registration.

Once the victim clicks on the “Invoice” or “View Camera Images” – he is then directed to a website and instructed to download a penalty or reminder notice.

The webpage utilizes a captcha which will actually require the right combination of letters or numbers to download the file, possibly another trick by the attackers to legitimize the site.

Once downloaded and opened, Cryptolocker encrypts the data on the host computer, rendering all files to be unusable or opened until payment is made.

While these newer versions of Cryptolocker do not appear tied to the original version which was said to have been disrupted, we should remain vigilant of copycat attacks that have and will certainly follow.

As always, any emails received should be treated with extreme caution. Users should always keep anti-virus up to date, and use best practices when opening suspicious emails from unknown senders.

Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. In this role, she helps bring Barracuda stories to life and facilitate communication between the public and Barracuda internal teams. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.

AppSec USA is coming up next week and our own Daniel Peck will be there to discuss a new approach to phishing detection. Daniel is a Principal Research Scientist who works primarily on studying social networks as an attack vector. He has created a large body of work in research, such as:

Comparing content and non-content based systems to identify malicious accounts on Twitter/Facebook

Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. In this role, she helps bring Barracuda stories to life and facilitate communication between the public and Barracuda internal teams. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.

Spammers ask themselves, what sort of email will people click on? The offer of a big sale? Notice of a missed package? An email from a lonely Russian girl?

How about a flight you don't remember booking? If you're a frequent flyer, the appearance of an unanticipated itinerary in your inbox could have you clicking without thinking, and that would be a very bad thing.

This is especially true if you were the recipient of a very convincing piece of spam we found this week.

One way that spammers enhance the illusion is to construct long confusing links that contain elements that mimic the domain you would expect to see when examining a link. For example, all of the links in this spam point to accidentology.info, a newly-registered temporary domain created presumably just for the purpose of this campaign. However, the name of the web page that serves the initial redirection is:

/www.aa.com.reservation/viewFareRuleDetailsAccess.do.html

The intent of the URL is to draw your eye towards the part that says www.aa.com, even though that domain has nothing to do with the link. The actual attacks are delivered from a long subdomain that starts with www.aaa.com.reservation….., which also attempts to disguise that they come from a malicious domain registered only days earlier.

Although all of the links in the spam are slightly different, they all accomplish the same thing – they lead to an instance of the BlackHole exploit kit which examines the browser and serves up an exploit. In our test case, java was exploited:

Ultimately a version of Trojan.Zeus – a password stealer – was installed on the machine, and the Trojan went right to work contacting command and control servers.

Our standard advice applies. Don't click on unsolicited emails, even if they come from someone you might know. Even if an email appears convincing, visit the website directly instead of clicking on the link within the email. Make this your standard operating procedure and you can avoid clever attacks such as this.

Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. In this role, she helps bring Barracuda stories to life and facilitate communication between the public and Barracuda internal teams. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.

The criminal gangs that distribute the password stealing Trojan.Zeus have altered their spam campaigns in a frightening new direction. Already seen targeting their emails at credit point-of-sale users and wire transfer users, their latest spams are now crafted to appeal to tax preparation professionals by posing as an official IRS communication. What's even worse is that their payload isn't an attachment or a link to a download. Rather, the payload is a link to a Web site hosting an exploit kit that probes your computer's software and automatically installs the Zeus password stealer.

The messages don't give you much to be suspicious about at first. They come from a generic looking name and use the email-id of the recipient as the subject.

The text itself is very well written, as well it should be. It is an almost exact cut and paste of an IRS announcement from 2004. To be precise, IR-2004-67.

The item to examine closely is the link embedded near the bottom of the message. Although it says irs.gov, this link actually points to a set of malicious domains with vaguely official sounding names. In this case it's irsgovnews.com (warning: do not visit that domain in your Web browser!)

The job of these domains is to send Javascript to your browser to accomplish two things. First it displays a pop-up message saying that your browser cannot reach the site which is not true. The alert comes from the site itself! This is to keep you from suspecting what comes next.

What comes next is that the Javascript directs the browser off to another domain that hosts the Blackhole exploit kit. This kit sends specially crafted messages to the browser that try to take advantage of unpatched weaknesses in browser helpers such as Java or Windows Media Player.

If any weakness is found then Zeus is downloaded and installed automatically behind the scenes. Previous spam efforts required you to click “Run” in order to install the malware payload. The use of an exploit kit in this case means that Zeus is installed without user interaction. Once you click the link in the email, it's game over.

Visit www.barracuda.com for information on how to protect your business from these attacks.

Our spam monitoring systems at Barracuda Labs are following a very large spam campaign carrying Trojan.Zeus. The spam amounts are approaching many hundreds of thousands a day and although they are being delivered to a wide cross-section of Internet users, the content of the spams is aimed at users of online banking services.

When spam delivers malware, one of the most common strains it carries is the password-stealing Zeus Trojan. Zeus specifically targets banking passwords, and the gangs that distribute variants of this malware are especially interested in banking credentials belonging to small businesses and government agencies. Compared to the average consumer, these entities often have more money in their accounts and set higher limits on wire transfers. One thing small organizations don't always realize is that they do not enjoy the same protections against fraudulent transactions that consumers do.

The spams use graphics hosted by the Federal Reserve and pose as notices of a failed wire transfer:

Much like last weeks Chase Paymentech spam campaign, these notices are of particular interest to financial professionals. Unlike the more sophisticated Chase emails, these are a simple affair with poorly constructed text and no attempt at hiding the executable nature of the linked payload.

Still, there's the possibility that a busy executive might just skim the spam and click on the attachment, resulting in a Windows security warning:

While the spammers try to hide behind a double extension of .pdf.exe, this is no PDF. This is an executable program, and the Federal Reserve is not going to send you any vital information coded into a program. Don't run it.

If you do, you've installed Zeus:

It will run quietly in the background, intercepting browser traffic, watching for credentials and sending any it finds off to its command and control server.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

The spam monitoring systems at Barracuda Labs have uncovered an especially objectionable spam campaign that poses as a sign-up email from the Chase Bank credit card processing service Chase Paymentech.

We see lots and lots of spam at Barracuda Labs. Even if the sender isn't suspect, it is still generally easy to spot either because of the subject matter or flaws in the content.

What makes this spam dangerous is a combination of convincing content and deceptive payload. Examining this spam highlights the risk that comes with assuming one can always judge spam by its appearance alone.

These spams are particularly well done. The only suspicious element is that the From: address is not Chase bank, an unusual failure given how easy it is to fake the From: field in an email.

The email invites you to activate a credit card payment account and tells you that your first step is to find your merchant ID and user ID in the attached Microsoft Word document. That Word document is what indirectly delivers the malware payload.

Vulnerabilities in Microsoft Word have mostly been patched or mitigated, and it's been years since Word document attachments were something most users had to worry about. While users have become more suspicious of programs that must be downloaded and run, they're more likely to open a document which is “just something you read.”

Unfortunately, malware distributors have recently discovered that common vulnerabilities in Adobe's Flash player can be exploited by embedding the malicious Flash file into a Word document. This takes users who aren't likely to suspect a Word document of malicious intent and puts them at risk if they open it.

That's what happens here. If you open the attached merchant_info.doc, you can't see the Flash control embedded in the document. You really don't see much of anything for the minute or two that it takes the Flash code to download and install malware on your Windows computer.

Once the infection is accomplished, this Word document closes and you're back to staring at the email and wondering what went wrong. Meanwhile your computer is running Trojan.Zeus in the background.

Zeus quietly monitors your Internet traffic looking for username and password data. It saves them and periodically sends them off to control servers elsewhere on the Internet.

The content of this spam is of particular interest to financial professionals, making the installation of a password stealer that much worse. Trojan.Zeus has been implicated in many instances of online theft from small business accounts, especially since small business banking involves higher dollar amounts and does not carry the same level of theft protection as consumer accounts do.

The Adobe vulnerabilities that allow this to succeed have been used in a number of recent email attacks. We strongly recommend you upgrade all of your Flash installations by visiting http://get.adobe.com/flashplayer.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

Barracuda Labs researchers have recently seen a particularly nasty variant of Trojan.FakeAV spreading in the wild. We have seen this fake antivirus malware delivered both by way of drive-by exploits and by way of direct links embedded in enticing spam emails. The first sign of infection is the display of a very convincing copy of a Microsoft Security Essentials alert. The malware then prevents the victim from running most programs on their desktop.

When the real Microsoft Security Essentials antivirus program encounters malware on a computer it displays an alert such as this one:

A computer that has been attacked by this strain of Trojan.FakAV immediately displays the following very similar alert:

The difference is that the second alert will continue to reappear even if the user closes it. Any attempt to run Outlook or Internet Explorer, open a command window or even run the Task Manager will be intercepted and the alert will re-display. The inability to run most common programs on the computer leaves the uninformed user with no alternative but to explore the alert. Choosing “Clean Computer” or “Apply Actions” brings up an interesting scan dialog:

A large list of antivirus product trademarks is displayed. Unfortunately, none of the well-known products seem to be able to find any problems. Cleverly interspersed with the reputable programs are images for five bogus antivirus ‘products' including:

Of course, no scanning ever happened, and the programs listed above are all built directly into the malware. They all appear identical except for a name change. If the user installs the first one, this is displayed:

We were particularly amused by the wholesale theft of the GNU “free software” license agreement. Behind the scenes, the installation of any of these bogus ‘products' sends messages across the Internet to IPs 85.234.191.174 and 85.234.191.180, both of which are located in Latvia. The first is the home of a malicious fake porn site and the second hosts a site whose main page simply reads “There is nothing here”.

Once ‘installed' the program goes right to work fixing ‘problems'. Unfortunately some of those problems require a missing “heuristic module”.

Ignoring this requirement results in an error message. Outlook, Internet Explorer, Task Manager – the most basic Windows programs still will not run. Eventually the user might be tempted to click the purchase button for that module:

Fixing the Problem

While it is not possible to open many programs, it is possible to open the file explorer. The malware file is found in the users Application Data folder, which is hidden by default. Once the file is renamed it will no longer be loaded on reboot, and the machine can be cleaned using a reputable antivirus program.

Barracuda Web Filters and the Barracuda Web Filtering Service stop the download of this threat.

Barracuda Labs has seen an enormous increase – in fact, well over one million instances a day – of spam containing malicious HTML attachments. The attackers are trying every trick in the book, from using trending news topics to sending deliberately vague messages, with the hope that users will be curious enough to open the HTML. After all, what harm can an HTML file do?

The answer is – plenty.

For years computer professionals have been telling email users to be particularly careful with emails from sources they do not recognize, and to even be careful with unusual looking email from sources that they do trust. Users have been warned of the potential dangers associated with clicking on a file or link that arrives in an email. But many people assume that an HTML file is just a webpage and that webpages are safe. This assumption is misleading, and the examples below show why HTML attachments are just as serious of a threat as other attachment types.

Attracting attention by latching on to the latest breaking news is a technique that attackers have been using for quite some time. In fact, several examples of SEO poisoning and search malware are explored throughout barracudalabs.com and this blog. Google hot topic search results frequently are littered with links to hacked sites that serve up malicious JavaScript. Now, the attackers are taking that a step further and not requiring the user to come to their hacked sites but rather simply emailing the same malicious JavaScript sites straight to an inbox.

A seemingly innocent HTML email attachment can do plenty of damage, and while quite stealthy, definitely not harmless.

Just yesterday, Barracuda Labs intercepted thousands of copies of a spammed phishing attack aimed at customers of the popular online video rental service Netflix. While phishing attacks are nothing new, especially against financial institutions, this attack is particularly well done.

Below we present the details of the attack, showing how the unsuspecting Netflix member might fall victim, as well as what to look for to avoid it.

Taking a deeper look, the recipient will noitice that the email was not sent to anyone by name. Also, mousing over the link shows that it does not go to Netflix.com. Instead, it goes to a deceptively similar domain, netflixus.com. This could be easily confused by the recipient since it is so similar, and also could be perceived as a geographical notation (US). Netflixus.com was registered on the same day that the phishing attack began, September 13. Clicking on the “update” link sends the user to a login page that looks like what one would expect from Netflix

One exception is the domain in the address bar: still netflixus.com. Additionally, the protocol used is not HTTPS, which reputable sites always use when asking for login names and passwords or for credit card information. All of the other links on this page and on the following pages point to netflix.com, so if the user mouses over this form it is extremely deceptive. The ‘Continue' button takes the user to another part of the phishing site. As part of this experiment, we signed in with a fake username and password.

Once signed in, there is a landslide of warnings. The first is that the user is immediately asked for credit card information. This page is very well designed, right down to an image of the back of a credit card to help identify the security code. Netflixus.com still displays in the address bar, and although credit card information is being requested, the HTTPS protocol is not being used.

We responded with a dummy credit card number as indicated below. Once that happens the site obligingly sends the user's browser to the real netflix.com home page:

This final step is one last step to make the user feel comfortable with the just completed transaction.

This attack serves as a great reminder to always pay attention online. Regardless of how “real” an email or site looks, users should be especially wary of those requesting the user to click on links to enter credit card information, passwords and so forth. There are several tell-all signs to check legitimacy, many of which we have outlined above.

Customers using the Barracuda Spam & Virus Firewall, Barracuda Web Filter, and/or the Barracuda Web Filtering Service are protected from this attack.